File name: | Calculation-756293702-Jan-24.zip |
Full analysis: | https://app.any.run/tasks/7f7d2a38-4c2e-4af1-a1d8-907f915f1f55 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 18:49:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | BCAE208DD51EBE125AF614EC97D28D25 |
SHA1: | 790CC53AB5EF32FD25ED2825842D1A94AB808EB6 |
SHA256: | 94F87072DC59AF164CCCACC0D19042E816403A61907DEF073793F924CEB2EFE0 |
SSDEEP: | 1536:rcs2/xO8zxgoCRYIvJvqzLFCOWzUdwgw1E1gEmy6476LnLp0uXl/+nrh42XH75:on/s8zxLEUw1E1gywDL9Xl/M2GF |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Calculation-756293702-Jan-24.xlsb |
---|---|
ZipUncompressedSize: | 132023 |
ZipCompressedSize: | 99262 |
ZipCRC: | 0x0c66854c |
ZipModifyDate: | 2022:01:24 14:13:22 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Calculation-756293702-Jan-24.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3712 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
540 | regsvr32 C:\ProgramData\VDscytujyctfjkvu1.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2972 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
396 | regsvr32 C:\ProgramData\VDscytujyctfjkvu2.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3544 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
664 | regsvr32 C:\ProgramData\VDscytujyctfjkvu3.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2220 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3108 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Calculation-756293702-Jan-24.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3384 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA48A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR1B5B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3108.46502\Calculation-756293702-Jan-24.xlsb | document | |
MD5:83BAAF396D2353C0B7424DC15F08A5BF | SHA256:A5163F09336D138DB035440796A7ACCBCB286F9D2EB604FA2E5D143D35A007D2 | |||
2752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2752.36897\Calculation-756293702-Jan-24.xlsb | document | |
MD5:83BAAF396D2353C0B7424DC15F08A5BF | SHA256:A5163F09336D138DB035440796A7ACCBCB286F9D2EB604FA2E5D143D35A007D2 | |||
3712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\2393223809381040[1].dat | executable | |
MD5:D07E5ACD4F959B5942D8F126E9BA9615 | SHA256:FD9707AB0A82D91ED98ADB8F588BA2A72478B76EBCBF8C2376C1BDD1700A7378 | |||
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\4253313829777100[1].dat | executable | |
MD5:270603C51B9CEC3236748AEA50FAA72E | SHA256:F4B3FF8DFC3CF82EBC8289A403C4296F155AB4B887B8DE83D3CAD84C241A964E | |||
3712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\2393223809381040[3].dat | executable | |
MD5:EBC37197B3E13BBE7E411CFD9ECB8102 | SHA256:0CCA01E8B7849F9BAF766B6A0B83CC364BEC0629BC4FBD1F58C23CFECE78503A | |||
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\4253313829777100[2].dat | executable | |
MD5:889A5B22BE9F93334C78EE005D750344 | SHA256:868786E0CAC7B595A7BF9036BBCB7271EE329A596F66B442E26C3B91C1069363 | |||
3712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa2752.36897\~$Calculation-756293702-Jan-24.xlsb | pgc | |
MD5:21E5D64E6DD2C94C577A61B0A25DE7A4 | SHA256:657F0604A7C1F6CFDC4E8A224F59BD6E1900A4A4DD8B3F61A20F67DEBE41F209 | |||
3712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DBB2A93.jpg | image | |
MD5:BE66A2107004A96BD550A0192B4C1D36 | SHA256:90C20F16A83F7B600FD1529C69470F70D94130A0CF30F6FF5B02E4436EDEBE4A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3384 | EXCEL.EXE | GET | 200 | 185.82.127.129:80 | http://185.82.127.129/4253313829777100.dat | SE | executable | 1.64 Mb | suspicious |
3712 | EXCEL.EXE | GET | 200 | 91.193.18.87:80 | http://91.193.18.87/2393223809381040.dat | unknown | executable | 1.64 Mb | suspicious |
3384 | EXCEL.EXE | GET | 200 | 101.99.95.16:80 | http://101.99.95.16/4253313829777100.dat | MY | executable | 1.64 Mb | suspicious |
3712 | EXCEL.EXE | GET | 200 | 185.82.127.129:80 | http://185.82.127.129/2393223809381040.dat | SE | executable | 1.64 Mb | suspicious |
3712 | EXCEL.EXE | GET | 200 | 101.99.95.16:80 | http://101.99.95.16/2393223809381040.dat | MY | executable | 1.64 Mb | suspicious |
3384 | EXCEL.EXE | GET | 200 | 91.193.18.87:80 | http://91.193.18.87/4253313829777100.dat | unknown | executable | 1.64 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3712 | EXCEL.EXE | 91.193.18.87:80 | — | — | — | suspicious |
3384 | EXCEL.EXE | 101.99.95.16:80 | — | — | MY | suspicious |
3712 | EXCEL.EXE | 101.99.95.16:80 | — | — | MY | suspicious |
3712 | EXCEL.EXE | 185.82.127.129:80 | — | Makonix SIA | SE | suspicious |
3384 | EXCEL.EXE | 185.82.127.129:80 | — | Makonix SIA | SE | suspicious |
3384 | EXCEL.EXE | 91.193.18.87:80 | — | — | — | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3712 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3712 | EXCEL.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3712 | EXCEL.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3712 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3712 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |